The Jetty web server has a Java Password class that allows the obfuscation of plain text and to reverse that obfuscation. This is especially useful when configuring features, like SSL, that require placing passwords in configuration files. Without obfuscating them, they will be entered as plain text.
Obfuscation simply makes it more difficult for a person to read a text string that has been obfuscated.
Before you start, you'll need:
In my examples I'm using Jetty 9.4 and Java 1.8.
The Password class is part of the
lib/jetty-util-[VERSION_NUMBER].jar. To obfuscate a password, use the following command.
java -cp jetty-util-[VERSION_NUMBER].jar org.eclipse.jetty.util.security.Password [PASSWORD]
- The [VERSION_NUMBER] will be specific to the version of Jetty you're using. Verify the file name that came with your version of Jetty.
- The [PASSWORD] is your plain text password that you want obfuscated.
$ java -cp jetty-util-9.4.6.v20170531.jar org.eclipse.jetty.util.security.Password SecretPassword123 2017-08-15 18:44:13.036:INFO::main: Logging initialized @148ms to org.eclipse.jetty.util.log.StdErrLog SecretPassword123 OBF:1fof1j1u1igh1vgt1vn61y101sgo1v1p1ym71v2p1siu1y0q1vnw1vg11idp1iz01fmn MD5:512d9845442e46f891bafc22f06b171e
In this example, my [VERSION_NUMBER] is
9.4.6.v20170531 and my [PASSWORD] is
SecretPassword123. The class return data is:
- Plain text password is
- Obfuscated password is
- MD5 is
The obfuscated password can be used in Jetty's configuration files where needed. When using the obfuscated password, make sure to include the
The Password class makes reversing obfuscation easy. The process is the same as obfuscating plain text, except you pass in the obfuscated password to the Password class as depicted below.
java -cp jetty-util-[VERSION_NUMBER].jar org.eclipse.jetty.util.security.Password [OBF:PASSWORD]
$ java -cp jetty-util-9.4.6.v20170531.jar org.eclipse.jetty.util.security.Password OBF:1fof1j1u1igh1vgt1vn61y101sgo1v1p1ym71v2p1siu1y0q1vnw1vg11idp1iz01fmn 2017-08-15 18:45:48.165:INFO::main: Logging initialized @134ms to org.eclipse.jetty.util.log.StdErrLog SecretPassword123 OBF:1fof1j1u1igh1vgt1vn61y101sgo1v1p1ym71v2p1siu1y0q1vnw1vg11idp1iz01fmn MD5:f8ad4d396e4cc2eb2955d3911eb14cb9
Notice the [OBF:PASSWORD] is equal to the obfuscated password from the previous return data. The class will detect the password starts with
OBF: and utilize methods to reverse the obfuscation. The return data is the same as before, except this time we're interested in the plain text version of the password
I've found this useful when working with SSL keystores that I don't have the keystore password. I can take the obfuscated password set in the Jetty configuration files and use the Password class to obtain the password.